Well I want ask help to the good expert programming guys that visit this forum for find a way to get out the activation watermark. I was wasting time checking the file: twinui.dll and twinui.appcore.dll. I am a newbie is hex edition and dll injection and dll hook. But this is the results of wasting time looking the way for take off the watermark until the others smart guys find the key for kms v6 protocol. Twinui.dll some imports in IDA: Spoiler Code: api-ms-win-core-winrt-string-l1-1-0.dll: __declspec(dllimport) __stdcall WindowsCreateString(x, x, x) __declspec(dllimport) __stdcall WindowsGetStringLen(x) __declspec(dllimport) __stdcall WindowsGetStringRawBuffer(x, x) __declspec(dllimport) __stdcall WindowsIsStringEmpty(x) __declspec(dllimport) __stdcall WindowsGetStringLen(x) __declspec(dllimport) __stdcall WindowsCreateStringReference(x, x, x, x) UxTheme.dll: __declspec(dllimport) __stdcall BeginBufferedPaint(x, x, x, x, x) HRESULT __stdcall GetThemeColor(HTHEME hTheme, int iPartId, int iStateId, int iPropId, COLORREF *pColor) __declspec(dllimport) __stdcall EndBufferedPaint(x, x) HTHEME __stdcall OpenThemeData(HWND hwnd, LPCWSTR pszClassList) __declspec(dllimport) __stdcall DrawThemeTextEx(x, x, x, x, x, x, x, x, x) __declspec(dllimport) __stdcall BufferedPaintInit() __declspec(dllimport) __stdcall GetThemeTimingFunction(x, x, x, x, x) DUI70.dll: __declspec(dllimport) public: virtual void __thiscall DirectUI::RichText::Paint(struct HDC__ *, struct tagRECT const *, struct tagRECT const *, struct tagRECT *, struct tagRECT *) api-ms-win-core-winrt-l1-1-0.dll: __declspec(dllimport) __stdcall RoGetActivationFactory(x, x, x) __declspec(dllimport) __stdcall RoActivateInstance(x, x api-ms-win-core-sysinfo-l1-2-1.dll: void __stdcall GetSystemInfo(LPSYSTEM_INFO lpSystemInfo) __declspec(dllimport) __stdcall GetTickCount64() DWORD __stdcall GetTickCount() Twinui.appcore.dll some imports in IDA: Spoiler Code: ext-ms-win-ntuser-misc-l1-2-0.dll: BOOL __stdcall KillTimer(HWND hWnd, UINT_PTR uIDEvent) api-ms-win-core-processthreads-l1-1-2.dll: BOOL __stdcall GetProcessTimes(HANDLE hProcess, LPFILETIME lpCreationTime, LPFILETIME lpExitTime, LPFILETIME lpKernelTime, LPFILETIME lpUserTime) api-ms-win-security-base-l1-2-0.dll: BOOL __stdcall GetTokenInformation(HANDLE TokenHandle, TOKEN_INFORMATION_CLASS TokenInformationClass, LPVOID TokenInformation, DWORD TokenInformationLength, PDWORD ReturnLength) Twinui.dll some exports in IDA: Spoiler Code: HRESULT __stdcall DllCanUnloadNow() HRESULT __stdcall DllGetActivationFactory(HSTRING__ *activatableClassId, IActivationFactory **factory) Function DllGetActivationFactory in W32Dasm and HexView for Twinui.dll (x86): Spoiler Code: Exported fn(): DllGetActivationFactory - Ord:0002h :10040205 8BFF mov edi, edi :10040207 55 push ebp :10040208 8BEC mov ebp, esp :1004020A E8FE930400 call 1008960D :1004020F 8BC8 mov ecx, eax :10040211 5D pop ebp :10040212 90 nop :10040213 90 nop :10040214 90 nop :10040215 90 nop :10040216 90 nop :10040217 8BFF mov edi, edi :10040219 55 push ebp :1004021A 8BEC mov ebp, esp :1004021C 83EC38 sub esp, 00000038 :1004021F A190E14110 mov eax, dword ptr [1041E190] :10040224 33C5 xor eax, ebp :10040226 8945FC mov dword ptr [ebp-04], eax :10040229 53 push ebx :1004022A 8B5D0C mov ebx, dword ptr [ebp+0C] :1004022D 56 push esi :1004022E 8B7508 mov esi, dword ptr [ebp+08] :10040231 57 push edi :10040232 832300 and dword ptr [ebx], 00000000 :10040235 8BF9 mov edi, ecx :10040237 56 push esi :10040238 FF1538D04110 call dword ptr [1041D038] //WindowsIsStringEmpty :1004023E 85C0 test eax, eax :10040240 0F8508AC1E00 jne 1022AE4E :10040246 8D45C8 lea eax, dword ptr [ebp-38] :10040249 50 push eax :1004024A 56 push esi :1004024B FF1530D04110 call dword ptr [1041D030] //WindowsStringHasEmbeddedN :10040251 85C0 test eax, eax :10040253 0F88F5AB1E00 js 1022AE4E :10040259 837DC801 cmp dword ptr [ebp-38], 00000001 :1004025D 0F84EBAB1E00 je 1022AE4E :10040263 6A00 push 00000000 :10040265 56 push esi :10040266 FF1524D04110 call dword ptr [1041D024] //WindowsGetStringRawBuffer :1004026C 8B0F mov ecx, dword ptr [edi] :1004026E 57 push edi :1004026F 8945CC mov dword ptr [ebp-34], eax :10040272 FF5114 call [ecx+14] :10040275 8B0F mov ecx, dword ptr [edi] :10040277 57 push edi :10040278 8D7004 lea esi, dword ptr [eax+04] :1004027B FF5118 call [ecx+18] :1004027E 8945D0 mov dword ptr [ebp-30], eax I tried changing the function DllGetActivationFactory to "90" : nop and still nothing happend. Same function are in: Twinui.appcore.dll and Windows.UI.Xaml.dll. Also I tried to change the UxTheme.dll and no lucky. So any ideas meanwhile somebody else is working in kms emulator would be great.
There is also this: Code: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Activation] "ActivationInterval"=dword:000dbba0 "Manual"=dword:00000001 "NotificationDisabled"=dword:00000001
For my test VHD boot Windows 8.1 Enterprise x64 i used ru-board member stea's evaluation activator. Just to rid off activation nag text it is working fine. Removed build number watermark using My WCP Watermark Editor. Store, Update everything working.
Hmmm the Activate windows watermark. The watermark itself is tied with sppsvc. Hang on a sec I need to check my notes... (goes through notes)... Damn my notes on this are not complete for the shell side. However the Twinui.dll has nothing to do with the activation side your looking for. Twinui.dll reports to the Metro side directly in order to pass information from the main activation dlls to the Systemsettings.exe which shows the Activation in the Metro Menu. In other words your not looking in the right spot. The Activation Watermark is actually tied to the SPPSVC as windows adds that mark from that service and not the explorer.exe or twinui.dll for that matter.
Well to be more precise twinui.dll links to the systemsettings.exe which is the metro side for the activation. This inherently links to the SLC.dll passing on information to sppsvc.exe. (this is deep stuff) The watermark has two sides to it. One is the version and evaluation information the other is the service that runs on top of that which is the sppsvc.exe that links up with everything to make the activation system run coherently. This system makes up more then 2 dozen files (if not more) on the system and even runs in the kernel with a few files linking to it (I got bored). In an advisory context I would not look to bypass the activation watermark. I would simply try to look for a way to remove all the activation messages and spoof it. The information provided here is not circumstantial as I have notes regarding this. Your not thinking big enough. The activation is a multi file system that runs through a momentous amount of files. If you want to see what it runs through simply look at the import export table. You are correct regarding the UXtheme.dll as it has a SLC call that runs through the import table though That being said if I need to write down notes with the amount of information IDA normally provides then its for good reason you should look at the big picture.
Why would anyone hack activate their os to patch some watermarks?. In Windows 8.0 all that was need was to patch shell32.dll and twinui.dll to remove all watermarks thats what I did.
I think, in terms of activation you could not compare Windows 8 with Windows 8.1, there to many differences between those two versions!
Actually when I started looking at Windows 8.1 I just took out my Windows 8 notes and started. The differences are not even that great. The general point is that you'd have better luck cracking windows than removing the watermark.
you say it is not related to explorer.exe but when you close explorer.exe the activate watermark disappears
The explorer portion of the activation was removed following the development of Windows 8. However if its not in explorer.exe its in one of the dependencies of the OS such as the case with uxtheme.dll. Also it takes freaking forever to Reverse Engineer Windows licensing because of the amount of files. I have no doubt that somehow the watermark is tied with the slc.dll but I can't directly connect the dots.
sppsvc checks the tokens and data (and mayboe some more - not completly aware of bullet-proof knowledge from my side) and writes your license informations in this reg-value! the kernel-license IS this reg-value. With disabled sppsvc and edited reg-key i can still run w8 without any complains (except updates that contain xrm-ms files) - you can edit all license informations as you want it and can e.g. enable LOB and so on. all querys from applications and so on belong to this long value. the reg-data is generated by the tokens.dat and gets freshed over time. thats pretty much a fact as i'm running multiple vm's for testing purposes exclusively to this issue.
And it is more or less all about tokens.dat if there would be a patched sppsvc which excepts xrm-ms files without checking the hashes you could pretty easy create some xrm-ms file which will activate your system completly offline. Windows Embedded 7 e.g. has complete offline activation. It may would be possible to extract the activation infos within the Sku file with Win8 SKU files with adapted license-ids and so on. there are many ways possible but as i said the reg-key would be the easiest way i guess.
That's my point you could edit the tokens.dat or data.dat for that matter and not make any progress. That general presumption of the tokens.dat being the main files for which the sppsvc checks for is flawed. The registry keys merely connect the sppsvc with the xrm-ms files in such a way that if you edit them out it restores them on a reboot. IF it was that easy to bypass the activation it would have been done already. Why make a licensing system which could easily be bypassed in such a manner? The tokens backs up to a secondary location for the sppsvc in case its modified as does the registry. And at the kernel level if you try to mod that you basically BSOD the whole system. Again you guys are not thinking big enough. The xrm-ms files and tokens play a big role in the play for the activation system but are not all the pieces in the puzzle. I'm merely going to be a refrence person in this case as my days of having time to crack Windows has come and gone lol. Offline Activation requires input from the activation server inevitably to activate the product as you are trying to reinvent the wheel Look for a portion of the activation that is inherently flawed then chip at it.